Command injection vulnerability in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. The vulnerability exists in the console.run_module_with_output() function and breaks intended command structure. This causes the Metasploit console to execute additional unintended commands. The flaw can lead to arbitrary command execution and manipulation of Metasploit sessions. Attackers can exploit this by injecting malicious commands through module parameters.